February 28, 2023 HAWKEYE

Digital Risk Management – Threat Hunting for Secrets, Keys and Leaked Source Code on Github

DRM stands for the procedure of locating, evaluating, and minimizing hazards to a company’s digital assets.


Many firms have historically moved slowly toward digital transformation. Although manual processes were still suitable for many teams’ needs, they were time-consuming. Many businesses wanted to avoid dealing with the expense, disruption, or hiring and training requirements associated with switching to a new system or process. Things have changed since the COVID-19 outbreak, and it is anticipated that all businesses will increase their investment in technology projects, including security, risk, network, cloud, and mobility solutions. Organizations may accelerate growth, increase productivity, and gain better access to data by prioritizing digital transformation.

Additionally, enterprises now face more significant security risks than ever before in the digital age. Keeping sensitive information secure has become more challenging due to the growth of digital data, widespread use of cloud services, and reliance on outside contractors.

Digital Risk Management (DRM)

An integral component of every organization’s cybersecurity strategy is digital risk management (DRM). DRM stands for the procedure of locating, evaluating, and minimizing hazards to a company’s digital assets. In-depth analytics can be provided by a digital risk management solution to help your organization better monitor your compliance status and the current threat level for all risk factors. It can also use process automation, decision automation, digitized monitoring, early warning systems, and other automation techniques. Threat hunting is one of the key aspects of DRM, and it involves actively searching for potential threats and vulnerabilities in an organization’s digital environment.

Benefits of DRM

Without digital risk management, you can’t be confident that the technology you use is really worth it; new technology could create new dangers even while you want it to eliminate existing issues. For instance, if a brand-new consumer-facing app abruptly goes down for an hour as a result of a software bug or a cyberattack, that may lead to unhappy customers and negative press. A poorly built application could provide hackers access to private consumer information, putting you at risk of legal action and regulatory prosecution.

Businesses should prepare for cyberattacks and attempt to lessen the impact of a cyber incident by identifying and evaluating potential vulnerabilities in their IT networks. Additionally, the policies and guidelines of a digital risk management program can direct future choices regarding risk minimization while concentrating on organizational objectives. You may demonstrate compliance with a number of data security laws and industry standards, such as the EU’s General Data Protection Regulation, with the help of digital risk management.

Risks associated with source code leaks

Protecting that code is the first priority for software developers of digital products. It serves as a blueprint for the proprietary technology used by the company and serves as the backbone of the firm, including all of its internal workings and external dependencies. Source code should be closely guarded since businesses compete depending on how reliable their software is. Nevertheless, there are several instances of well-known companies learning that their source code has been compromised.

Leaked source code, whether stolen or revealed, may not only provide your rivals an advantage in creating new products but also enable hackers to take advantage of its flaws. Unauthorized disclosure of this code can contain information like 0Auth tokens, API keys, Usernames, Passwords, Encryption keys, and Security certificates and may offer malicious actors access to the crucial system and intellectual property data, enabling cyber attackers to dishonestly collect private user and company information through security flaws.

Recent major Github breaches

Okta Leak:
In December 2022, Okta admitted that the source code contained in its Workforce Identity Cloud (WIC) GitHub repositories had been stolen. It confirmed that Auth0 products and other customer services were not affected, but it did not disclose who the attackers were or precisely what information was acquired. A leaked internal email that contained nearly the same amount of information about the incident had previously been released to the public.

Slack Leak:
Slack received notification of questionable activity on their GitHub account on December 29, 2022. During an investigation, the company learned that a small number of employee tokens had been stolen and used improperly to access a repository that was hosted externally. On December 27, the threat actor also downloaded private code repositories, although neither the main codebase for Slack nor any client data were contained in those downloads.

Dropbok Leak:
Dropbox has acknowledged that on November 1st, 2022, there was a data breach that resulted in unauthorized access to passwords, information, and other sensitive materials stored in their internal GitHub development repositories. An attacker took control of a Dropbox developer who had fell for a phishing scam’s GitHub account. Over 130 internal code repositories were made accessible to the attacker by the compromised developer.

Toyota Leak:
Toyota, a Japanese-based automaker, acknowledged on October 7, 2022, that they had unintentionally left a credential granting access to client data in a public GitHub repository for almost 5 years. From December 2017 to September 2022, the code was made available. Even though Toyota claims to have invalidated the key, any exposure for this long may indicate that some malicious parties have already gained access.

DRM for threat hunting code leaks

The recent appearance of secrets, keys and exposed source code on GitHub is one area of worry. Developers frequently collaborate on projects and exchange code on GitHub, a well-known platform for hosting code. Even while GitHub includes a number of security features, such as branch protection and two-factor authentication, it is not impervious to security breaches. Secrets and keys, including API keys, SSH keys, and login passwords, have been known to be searched for on GitHub by hackers. These can be used to access private information, software, and systems. Leaking source code can also be problematic because it can expose holes that attackers can use.

DRM tools crawl the dark web, social media, and other digital channels to give hunters an external perspective of the organization’s current danger exposure. Threat hunters use a number of data sources, tools, and strategies to find risks.

Threat hunting on GitHub entails aggressively looking for certain kinds of data in GitHub repositories, such as secrets, keys, and leaked source code. For this goal, a variety of tools and strategies are available, such as:

Security features offered by GitHub:
GitHub provides a number of security features, like branch protection and secret scanning, which can be used to detect and reduce potential security issues.

Tools from outside sources:
There are a number of outside resources that may be used to search GitHub repositories for secrets, keys, and other sensitive data, which are explained below:

  • GitHound:
    GitHound is a threat hunting tool that uses pattern matching, commit history searches, and a special result grading system to identify exposed API keys and other sensitive information throughout the whole GitHub repository. It has various features like GitHub/Gist code searching, Generic API key detection, and Commit history digging.
  • GitGuardian:
    With the platform GitGuardian, businesses may find and fix secrets that have unintentionally been added to code repositories. It employs cutting-edge algorithms to search through both public and private repositories for sensitive data, warning users when any possible vulnerabilities are found. GitGuardian regularly monitors repositories in order to find and immediately address any potential security vulnerabilities. This enables businesses to protect their secrets right away before any harm can be done.
  • GitLeaks:
    Gitleaks is an open-source tool that checks code repositories for any security flaws and aids with code security. Developers can utilize Gitleaks on Windows, macOS, and Linux platforms, making it a flexible tool.

Threats that have been identified as potential must be eliminated as soon as possible. This may entail revoking keys or credentials that have been hacked, correcting coding flaws, or taking other corrective action.


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.